Skip to main content

Caddy CVE-2023-50463

MEDIUM
Authentication Bypass by Spoofing (CWE-290)
2023-12-10 cve@mitre.org
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 10, 2023 - 23:15 nvd
MEDIUM 6.5

DescriptionNVD

The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).

AnalysisAI

The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-290. The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions). Affected products include: Caddyserver Caddy. Version information: through 0.6.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Caddy

View all
CVE-2026-27590 CRITICAL POC
9.8 Feb 24

FastCGI path splitting vulnerability in Caddy before 2.11.1 allows request smuggling or path confusion when proxying to

CVE-2026-27586 CRITICAL POC
9.1 Feb 24

TLS error swallowing in Caddy web server before 2.11.1 allows bypassing client certificate authentication. Errors in Cli

CVE-2026-27588 CRITICAL POC
9.1 Feb 24

Host header case sensitivity bypass in Caddy before 2.11.1. Virtual host routing can be bypassed by using alternate casi

CVE-2026-27587 CRITICAL POC
9.1 Feb 24

Case sensitivity bypass in Caddy web server path matching before 2.11.1. HTTP path matchers can be bypassed using altern

CVE-2026-30851 HIGH POC
8.1 Mar 07

Caddy versions 2.10.0 through 2.11.1 fail to strip client-supplied headers in the forward_auth copy_headers directive, e

CVE-2026-30852 HIGH POC
7.5 Mar 07

Caddy versions 2.7.5 through 2.11.1 contain a template injection vulnerability in the vars_regexp matcher that allows re

CVE-2022-34037 HIGH POC
7.5 Jul 22

An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers

CVE-2026-27585 MEDIUM POC
6.5 Feb 24

Caddy versions prior to 2.11.1 fail to sanitize backslashes in file path matching, allowing attackers to bypass path-bas

CVE-2026-27589 MEDIUM POC
6.5 Feb 24

Caddy versions prior to 2.11.1 allow unauthenticated cross-origin requests to the admin API when origin enforcement is d

CVE-2017-5963 MEDIUM POC
6.1 Feb 12

An issue was discovered in caddy (for TYPO3) before 7.2.10. Rated medium severity (CVSS 6.1), this vulnerability is remo

CVE-2018-19148 LOW POC
3.7 Nov 10

Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumer

CVE-2022-29718 MEDIUM
6.1 Jun 02

Caddy v2.4 was discovered to contain an open redirect vulnerability. Rated medium severity (CVSS 6.1), this vulnerabilit

Share

CVE-2023-50463 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy